My server was taken down by a well-known hacker group trying to extort me for 3 Bitcoin, which in US dollars, is in the tune of $1500. They said that they would continue attacking my server and my websites until I paid them, and that the attack would continue to increase in severity until they got what they wanted.
Having your website attacked is one of the most frustrating things that can happen to a business owner. Web hosts are not always readily available, and if/when you finally get ahold of somebody, the chances are slim that they are a higher-level technician that can actually help you diagnose the issue.
Of course, creating a support ticket is your best long-term bet, and should be your very first move.
Support tickets can take hours or even days to get a response from a technician at most major hosting companies. If you feel like doing something to stop the attack in the meantime, you'll need to figure out how your website is being attacked and fix the issue.
Let's determine what kind of attack your site is being hit with.
Determining Attack Type
The first step is to determine what kind of attack your website is experiencing.
Most of the time, if your website isn't loading, you are being hit with a DoS or DDoS attack, which stands for Denial of Service (or Distributed Denial of Service, respectively). This means that one or more computers is attacking your website to overwhelm your server and knock it offline so your visitors can't access your content.
This is one of the easiest attacks to execute, and it is a very common one to be hit by your competitors, or perhaps an angry customer.
If you're getting pop-ups, browser warnings, redirections, or viruses on your site, you most likely have a software or plugin vulnerability on your site, which requires a more thorough investigation from your host.
If you don't see any of these, but your website is still offline, let's move ahead to find out which connections are responsible for your server being offline.
Determining If You Have SSH and FTP Access
Have you tried connecting to your website via FTP? Does it load? If so, this is further evidence of a Denial of Service attack.
Have you tried connecting to SSH? If you have a dedicated server (which you really should), connect to your site via SSH.
Once you're connected to your server through SSH, we can run some commands to see what's going on.
Scanning for Abusive IP Addresses
Once you're connected to SSH, run this command to see a list of every IP that is connected to your server:
netstat -ntu | awk '{print $5}' | cut -d: -f1 | sort | uniq -c | sort -n
Take note of any IP addresses that have an alarming amount of connections. Your average user will have anywhere from 1 to 10 connections, where-as an IP that is attacking your server will have hundreds. In my case, each IP had about 500 connections.
Next, do a Google search of the IP address, or use a site like whatismyipaddress. What country is it from? Do you see a similarity between the attack IPs? Are they all from Romania, or are they all from Tor's network? Take note of any similiarities, as they may be the final clue that you need to block these.
Next, block the offending IPs. This will stop most of the less-sophisticated denial of service attacks.
You can permanently block the offending IP with this command (replace xxx.xxx.xxx.xxx with the attacker's IP address, and repeat as necessary:
iptables -A INPUT -s xxx.xxx.xxx.xxx -j DROP
You can also paste this in, which creates a rule that will drop connections from people trying to load your website more than 10 times simultaneously:
iptables -I INPUT -p tcp --dport 80 -i eth0 -m state --state NEW -m recent --set
iptables -I INPUT -p tcp --dport 80 -i eth0 -m state --state NEW -m recent --update --seconds 60 --hitcount 10 -j DROP
iptables-save >/etc/iptables.up.rules
Lastly, save what you've done so these changes will stick, even after a sever restart:
iptables-save > /etc/iptables.up.rules
iptables-restore < /etc/iptables.up.rules
Check your website. Does it load? Yay!
If it doesn't load, keep running checks with the first command I listed, and look for new IPs that are using way too many connections. In my case, the attacking IP would change every minute, and every single IP was from the Tor network. I ended up having to block every single Tor exit node on this list, which stopped this attack.
Other Types of Denial of Service Attacks
With the previous method, attackers can take down large websites, even websites with anti DDoS measures in place. It works by exhausting every connection that your website has to offer, and doesn't allow real users in, since it's too busy trying to serve the fake users.
However, if you didn't see any high connection IP addresses in the above steps, or you can't connect to FTP or SSH, it's likely you're getting hit with a UDP or TCP flood, which relies on brute force from a single connection. A single IP can send a tremendous amount of data, especially if it's from a datacenter, and it will only show up as a single connection.
This requires a more thorough pruning of your active connections, and in some cases (if the attack is large enough), a dedicated hardware / software firewall for your server. This is something you should be able to purchase from most hosts.
Hopefully -- after these steps -- you've managed to get your site back online. Now, let's look into preventative measures to reduce the risk of being affected by something like this again.
Server Hardening
If a software or dedicated hardware firewall isn't available by your host, you can always harden Apache on your web server, which will prevent help your server identify and automatically block malicious connections like these.
You'll want to install the mod_reqtimeout module for Apache, documented here.
You can adjust configuration for this in the WHM Includes Editor under "Pre-Main-Global". A basic configuration for this to drop most malicious connections automatically would look something like this:
RequestReadTimeout header=20-40,MinRate=500 body=20-40,MinRate=500
Depending on your host and skill level, you might need to create a support ticket to have a tech help you with this.
Reducing Server Load and Attack Surface Area
A heavy website with a lot of images, videos, and moving parts will strain your server more, and will have a larger 'attack surface area'.
There are a few things you can do to help this. The first would be setting up a Content Delivery Network (CDN), which automatically hosts your website code, images, and dependencies on blazing fast servers. Companies like MaxCDN or Amazon CloudFront are very easy to use, and if you use Wordpress, you can usually set up your CDN in about 5 minutes with the W3 Total Cache plugin.
The next time somebody attacks your site, they will be trying to load a page that is practically a simple HTML page, since all of your website's images and content are hosted on their servers. This reduces the strain on your server dramatically, and a site with a CDN will survive a DDoS much more easily.
It will also load much faster and will rank better in Google. I pay a few bucks a month for Amazon CloudFront; it's a worthwhile upgrade.
A caching plugin like W3 total cache will also help you serve cached HTML pages to your visitors, instead of the bloated Wordpress code. This essentially takes a snapshot of what your website looks like loaded, and serves that version to your visitors. It functions the exact same way, but since it's cached, your server isn't working as hard. A cached website will often times survive a DDoS attack, where a non-cached website will fall.
Cloudflare "Always Online" and DNS Level DDoS Protection
I personally don't use Cloudflare, but if your site is under attack, Cloudflare is a very easy upgrade to stop the majority of these types of attacks.
It works by acting as a bullet proof DNS server. Every connection to your site first has to pass through Cloudflare, which has sophisticated DDoS protection and special features like "Always Online", which will serve up your website even if your server is offline from an attack.
Their free option is fine for most people, but paying to upgrade certainly has its benefits, like better DDoS protection and hardening options.
Final Thoughts
When it comes down to it, unless you're a skilled Linux server technician, your host is going to do the best job at isolating and fixing the issue.
In my case, I was able to stop the attack before my support ticket was answered by using the above steps, and then they helped me harden Apache to prevent this from happening in the future.
Let me know if this helped you in the comments below, or if you have any other techniques for getting a website that is under attack back online!